Data theft is a constant threat to companies that do business of any kind online, and despite the fact that the threat landscape is always evolving, security experts say digital crimes are largely predictable. Year over year, most breaches and security incidents fall into nine categories, and different industries tend be the targets of just two or three of those types of threats, according to the analysts who compile the annual international Verizon Data Breach Investigations Report (DBIR).
Data breaches can involve human error, crime ware, insider theft, physical loss, web app attacks, espionage, point of sale intrusions, and payment card skimming. Denial of service (DoS) attacks are included although they’re not breaches, because they increasingly serve as a distraction while criminals steal data or install malware. The DBIR calls these common threat categories the “nefarious nine.” Learning which threats are most dangerous to your business can help you develop better prevention and response programs.
Point of sale system breaches lead incidents in hospitality, entertainment, and retail
More than 90% of the hospitality industry incidents reported in 2014 involved POS system compromise, along with 73% of entertainment and 70% of retail incidents.
In order to reduce the likelihood of a POS intrusion, update and strengthen your POS device passwords; eliminate remote access to your POS software; ensure that all employees, vendors, and partners with access to your company network adhere to strict password guidelines; limit internet access via your POS system; and keep your POS software patched and protected with antivirus and firewall software.
Payment card skimmers affected financial services, retail, and mining
ATMs, fuel pumps, and retail checkout POS devices are frequent targets, and experts say that both large and small retailers can become skimming victims. Merchants who handle card-present transactions must familiarize themselves with the PCI-DSS guidelines and Visa’s best practices on tampering prevention. These include locating POS terminals where employees and security cameras can monitor them, using PCI-DSS compliant equipment, and installing data cables and power supply cords in a way that makes them inaccessible and/or hard to identify.
Human error is a big problem for many industries
A surprising amount of data theft is opportunistic. DBIR researchers found that 60% of the reported 2014 incidents in this category were down to human error. The IBM 2014 Cyber Security Intelligence Index attributed a remarkable 95% of all data-security incidents to human error.
Miscellaneous errors, a broad category that includes human mistakes and system glitches, was the leading cause of data theft in healthcare, the second-largest cause in entertainment and education, and the third-largest cause in retail and hospitality. The three most common types of mistakes were sending sensitive information to the wrong recipients, placing information that was supposed to remain private on public web servers, and improper disposal of private data. Experts recommend that all employees use extreme caution with auto-fill email address forms, data disposal, and web publishing protocols.
POS breaches, skimming, and human error are the most common threats to merchants in retail, hospitality, and entertainment. The remaining categories in the “nefarious nine” are less likely to affect merchants and more likely to impact heavy industry, government, and professional services including finance:
- Insider misuse of data was the primary cause of loss in administrative and mining sectors.
- Digital espionage was the biggest threat to manufacturing and professional services.
- Crime ware unrelated to espionage or POS hacking was responsible for the majority of confirmed 2014 incidents in the educational, public, and financial services sectors.
- Web app attacks, many using stolen credentials, were the second-largest threat within the financial services and information industries, but they didn’t lead in any industry’s threat landscape.
- Physical loss or theft of devices containing valued data was the third-highest loss vector for the healthcare industry, fourth-highest for education, and the second-highest for other services.
- Denial of service attacks did not directly cause any data theft, although the retail and hospitality industries were frequent victims of attacks that disrupted service for legitimate users.
Address the largest threats first
Merchants, especially those in hospitality, retail, and entertainment, can greatly reduce the likelihood of data theft by working with their payment service provider to ensure PCI-DSS compliance and to evaluate their point of sale software and hardware setups. An experienced PSP can also be a partner in preventing transactions from known fraudulent IP addresses, identifying potentially fraudulent transactions, and notifying the merchant.
Regular reviews and updates of payment system security, along with regular training for employees on safe data handling procedures, can sharply reduce your company’s risk of falling prey to digital data thieves.
Photo credit: Matthew Wiebe